Intro
I have started to write my configuration files after reading these blogs- jackhanington.com/blog (April 2014)
- http://everythingshouldbevirtual.com (December 2014)
And do not forget, this is just a tool ... you need a human behind it.
Logstash part
The configuration file (tested with logstash 1.4.2) is available here : Raw Cisco ASA logstash config fileWarning : Do not forget this simple rule with logstash: if you are using several configuration files in your /etc/logstatsh/conf.d directory (which I do), do not forget to put conditions in your input / filter / output section. If you don't, you will have some suprises (such as multiple logs entry) because logstash is compiling all files included in this directory in the equivalent of one unique big file.
This configuration file assume that your ASA logs are written in the /var/log/collection/asa/ directory (via rsyslog configuration). Logstash can also receive logs directly from your network.
I decide to send all my ASA logs into a dedicated index file [asa-]YYYY.MM.DD
This helps me to make a "logrotate" policy of my indexes depending on my type of logs and optimizing my queries : only ASA indexes are called for this ASA dashboard.
My logstash configuration will do indexing with the date included in the logs. Useful if you are doing post mortem logs import or if you are facing some downtime in the logs forwarding process.
Use and abuse of :
/opt/logstash/bin/logstash -t -f /etc/logstash/conf.d/myconf.conf
Check your logstash configuration before doing a restart (reload does not exist in logstash 1.4/1.5 and is planned in roadmap for the 2.0).
If you want to adapt your TimeZone, please check: http://joda-time.sourceforge.net/timezones.html
Kibana 3 part
The dashboard for investigation. You can get it there.I am using it in full screen mode with a 1920x1080 screen.
Kibana 3 Cisco ASA sample dashboard |
- Time line and different terms widgets
- GeoIP widgets
- Table with logs
Time line & terms widget
IMHO even if it is better to do vertical scrolling than lateral scrolling (the Kibana 3 framework is preventing lateral scrolling), I like to have all my important widgets without any scrolling. Thus, I am not using a full wide time line widget (8 span of 12).For the demo, on the second line, I have put the revert count in "bar" format to color the dashboard and show you different options, but I rather like to use the "table" form. The bar or pie are more graphical, but can't be used for excluding a data from your investigation, only zoom in, which I do most of the time.
Include / Exclude action |
GeoIP widgets
Most of the time the GeoIP widgets are fun to see, but could not be relevant because of the customer standard web browsing on the Internet (websites are hosted everywhere !). It will get some more interest when you will do filtering during your investigation. For example, if you search outgoing DNS traffic, you may find some traffic going place where they should not. This is the reason why, this is a dedicated row in my dashboard : you can collapse it when you wants.Table with logs
Nothing special there.Kibana 4
This won't be for this time.Kibana 4 sample dashboard |
- At the time of this post, Kibana is in 4.0.2 and it is not possible to export the schema of a dashboard such as in Kibana 3. It is on the future 4.1.0 version.
- Kibana 4.0.2 and Firefox ESR are not best friends (script are running 100% of CPU when editing visualization with non analyzed fields).
This could be an update in an few time with Kibana 4.1.
[Update : June 22, 2015 : link to the new blog post]